24 lines
755 B
Nix
24 lines
755 B
Nix
{ ... }:
|
|
|
|
{
|
|
resource.vault_gcp_secret_roleset.lukegbcom_deployer = {
|
|
backend = "\${vault_gcp_secret_backend.gcp.path}";
|
|
roleset = "lukegbcom-deployer";
|
|
project = "lukegbcom";
|
|
secret_type = "access_token";
|
|
token_scopes = [
|
|
"https://www.googleapis.com/auth/cloud-platform"
|
|
"https://www.googleapis.com/auth/firebase"
|
|
];
|
|
binding = [{
|
|
resource = "//cloudresourcemanager.googleapis.com/projects/lukegbcom";
|
|
roles = ["roles/firebasehosting.admin"];
|
|
}];
|
|
};
|
|
|
|
my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
|
|
path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
|
|
capabilities = ["read"]
|
|
}
|
|
'';
|
|
}
|