create-ark-service-account.sh

#!/usr/bin/env bash
set -eu

PROJECT_ID="${1:-}"
if [[ -z $PROJECT_ID ]]; then
  echo "Project ID not set"
  echo
  echo "Try ./create-service-account.sh zoidbergwill-testing"
  exit 1
fi

BUCKET="${PROJECT_ID}-ark-backups"

gsutil mb "gs://${BUCKET}/"
gcloud iam service-accounts create heptio-ark \
    --display-name "Heptio Ark service account"
SERVICE_ACCOUNT_EMAIL="$(gcloud iam service-accounts list --project "${PROJECT_ID}" | grep heptio-ark | awk '{print $2}')"


ROLE_PERMISSIONS=(
    compute.disks.get
    compute.disks.create
    compute.disks.createSnapshot
    compute.snapshots.get
    compute.snapshots.create
    compute.snapshots.useReadOnly
    compute.snapshots.delete
    compute.projects.get
)

gcloud iam roles create heptio_ark.server \
    --project $PROJECT_ID \
    --title "Heptio Ark Server" \
    --permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \
    --role projects/$PROJECT_ID/roles/heptio_ark.server

gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://${BUCKET}

gcloud iam service-accounts keys create credentials-ark \
    --iam-account $SERVICE_ACCOUNT_EMAIL

# kubectl create secret generic cloud-credentials \
#     --namespace <ARK_NAMESPACE> \
#     --from-file cloud=credentials-ark

echo "Don't forget to add the bucket and service account json to 01-ark-config.yml"