granting bots write access to the bucket sounds fine to me.  i assume Don knows off the top of his head how to pull this off :).

I should, and I agree that it's totally reasonable.

An unrelated thought....

Right now, we have <board>-payloads and it expects to operate on production data, without users having to set --production.

More correctly, we should have the payloads configs require --production, and generate the "<board>-payloads-tryjob" configs that don't, and which are identical other than setting the "debug" option.

If you change things to go to the new bucket based on --debug, that will fit in well with how our other tryjobs work, and -payloads can stop being special cased as much.

Also..... Object Create permissions added for chromeos.bot@gmail.com.

for clarity, the signers reject sign requests on that bucket that aren't using test keys. so we might want to have the tryjob build override the key set to dev keys.

re #3, sorry, hope not spamming too much, but can we add Delete permission too? it needs to acquire a lock and delete it afterwards. This applies to removing the hash files too.

On the same note, is there any other permission that we may need to grant? Create and Delete is the least I can think of.

Oh... I thought it had delete permission.

I'm using the new IAM roles, which are Viewer / Creator / Admin.

I granted Creator.

i've turned on versioning for the bucket

Don: can you set the lifecycle to 1 year or something ?  i've never done that before myself ...

Re#5: Are you getting errors deleting from the bucket, or just trying to make sure is has deletion permissions? I think the account should have deletion already.

Re#7 Sure. 6 months is the usual period.

dgarrett$cat lifecycle.json
{"rule": [{"action": {"type": "Delete"}, "condition": {"age": 180}}]}

dgarrett$gsutil lifecycle set ./lifecycle.json  gs://chromeos-releases-test/
Setting lifecycle configuration on gs://chromeos-releases-test/...

13:57:19: INFO: * Finished payload generation in 0:11:32.922041
13:57:25: ERROR: Failed: Build definition (board=u'edgar', version='11164.0.0', channel='canary-channel')
13:57:25: INFO: RunCommand: /b/swarming/w/ir/cache/cbuild/repository/.cache/common/gsutil_4.33.tar.gz/gsutil/gsutil -o 'Boto:num_retries=10' rm -R gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing
13:57:25: WARNING: GS_ERROR: Removing gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2#1540241825500052...
AccessDeniedException: 403 chromeos.bot@gmail.com does not have storage.objects.delete access to chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2.
 
13:58:25: INFO: RunCommand: /b/swarming/w/ir/cache/cbuild/repository/.cache/common/gsutil_4.33.tar.gz/gsutil/gsutil -o 'Boto:num_retries=10' rm -R gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing
13:58:27: WARNING: GS_ERROR: Removing gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2#1540241825500052...
AccessDeniedException: 403 chromeos.bot@gmail.com does not have storage.objects.delete access to chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2.
 
14:00:27: INFO: RunCommand: /b/swarming/w/ir/cache/cbuild/repository/.cache/common/gsutil_4.33.tar.gz/gsutil/gsutil -o 'Boto:num_retries=10' rm -R gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing
14:00:28: WARNING: GS_ERROR: Removing gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2#1540241825500052...
AccessDeniedException: 403 chromeos.bot@gmail.com does not have storage.objects.delete access to chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2.
 
14:03:28: INFO: RunCommand: /b/swarming/w/ir/cache/cbuild/repository/.cache/common/gsutil_4.33.tar.gz/gsutil/gsutil -o 'Boto:num_retries=10' rm -R gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing
14:03:29: WARNING: GS_ERROR: Removing gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2#1540241825500052...
AccessDeniedException: 403 chromeos.bot@gmail.com does not have storage.objects.delete access to chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2.
 

14:03:29: ERROR: Traceback (most recent call last):
  File "/b/swarming/w/ir/cache/cbuild/repository/chromite/cbuildbot/stages/generic_stages.py", line 702, in Run
    self.PerformStage()
  File "/b/swarming/w/ir/cache/cbuild/repository/chromite/cbuildbot/stages/release_stages.py", line 466, in PerformStage
    testdata = paygen.CreatePayloads()
  File "/b/swarming/w/ir/cache/cbuild/repository/chromite/lib/paygen/paygen_build_lib.py", line 934, in CreatePayloads
    self._CleanupBuild()
  File "/b/swarming/w/ir/cache/cbuild/repository/chromite/lib/paygen/paygen_build_lib.py", line 854, in _CleanupBuild
    recursive=True, ignore_missing=True)
  File "/b/swarming/w/ir/cache/cbuild/repository/chromite/lib/gs.py", line 1208, in Remove
    self.DoCommand(cmd, **kwargs)
  File "/b/swarming/w/ir/cache/cbuild/repository/chromite/lib/gs.py", line 919, in DoCommand
    raise GSCommandError(e.msg, e.result, e.exception)
GSCommandError: return code: 1; command: /b/swarming/w/ir/cache/cbuild/repository/.cache/common/gsutil_4.33.tar.gz/gsutil/gsutil -o 'Boto:num_retries=10' rm -R gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing
Removing gs://chromeos-releases-test/canary-channel/edgar/11164.0.0/payloads/signing/10473-140243556513600/payload.hash.tar.bz2#1540241825500052...

Okay, hopefully fixed.

Yeah, It can delete now. More updates coming!! :)

I believe this is now fixed. Please reopen if there is something else needed here.