cloud-dataproc icon indicating copy to clipboard operation
cloud-dataproc copied to clipboard
verified publisher icon GoogleCloudDataproc

Fix(gcloud): Correct service account email format and improve creation

Open cjac opened this issue 5 months ago • 2 comments

This commit addresses issues in the create-dpgce script related to service account handling, particularly for domain-scoped projects.

  • lib/env.sh:

    • Correctly formats the service account email (GSA) for domain-scoped projects (e.g., c9h.org:project-id) by including the domain in the email address (e.g., [email protected]).

  • lib/shared-functions.sh:

    • Replaced gcloud iam service-accounts describe with list --filter for a more reliable existence check, as describe was failing to find existing service accounts.
    • Added a retry loop for gcloud projects add-iam-policy-binding to handle potential IAM propagation delays after service account creation.
    • Ensured the script exits if role bindings fail after multiple retries.
    • Cleaned up role binding logic into a loop.

These changes ensure the script can reliably create and configure the necessary service account and its IAM roles, unblocking cluster creation.

cjac avatar Oct 01 '25 02:10 cjac

Summary of Changes

Hello @cjac, I'm Gemini Code Assist[^1]! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the reliability and correctness of service account management within the create-dpgce script. It specifically addresses issues related to service account email formatting for domain-scoped projects and improves the robustness of service account creation and IAM role assignment. By implementing more reliable existence checks and retry mechanisms for IAM policy bindings, these changes ensure that the script can consistently and successfully configure the necessary Google Cloud resources, thereby unblocking cluster creation workflows.

Highlights

  • Service Account Email Formatting: The script now correctly formats Google Service Account (GSA) emails for domain-scoped projects (e.g., c9h.org:project-id) by including the domain in the email address, resolving previous issues with incorrect GSA identification.
  • Improved Service Account Existence Check: The method for checking if a service account already exists has been made more robust. It now uses gcloud iam service-accounts list --filter instead of describe, which was failing to find existing service accounts reliably.
  • Robust IAM Role Binding with Retries: A retry loop has been implemented for gcloud projects add-iam-policy-binding commands. This addresses potential IAM propagation delays after service account creation, ensuring roles are successfully bound. The script will now exit if role bindings fail after multiple retries.
  • Streamlined Role Assignment: The logic for assigning IAM roles has been refactored into a loop, making it cleaner and easier to manage. Additionally, the roles/bigquery.dataEditor role has been added to the default set of roles assigned to the service account.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with :thumbsup: and :thumbsdown: on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

[^1]: Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot] avatar Oct 01 '25 02:10 gemini-code-assist[bot]

/gemini review

cjac avatar Oct 01 '25 02:10 cjac